ASA 5516-X Intermittent Downtime
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
You call that sort of performance a midrange device?
No, Cisco calls the ASA 5500-X Series a "next-generation midrange security appliance".
And the most obvious thing here is - how fast is the WAN link?
Performance doesn't matters if the link isn't faster than what the firewall can handle. -
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
-
@RojoLoco said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Cost of downtime would have to be INSANELY high to outweigh the cost of a new Cisco anything.
Downtime is generally either costless, or insanely high.. it's rarely a middle ground.
For example, in my case, for the surgical side - it's super high because all new surgeries stop until the system is restored. But on the clinic side - it's nearly costless because we just convert to paper and scan documents in later when the system is back online. otherwise we see patients as normal.
-
@Dashrender said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
Don't forget the additional cost for having an active service agreement (you already overpaid for shitty hardware, now give us more blood money so your shitty firewall keeps working... shittily).
And also, in case I hadn't mentioned it already.... FUCK CISCO.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
I think this is overstating it. Nothing wrong with him being oncall for a problem like this. it's the situation where he can't afford 5 min of downtime that would move to the HA setup...
-
@Dashrender said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
This is more an issue with @Jimmy9008 not setting realistic expectations with management. If management signed off on having a single firewall, then he shouldn't be working on it at 4am.
I think this is overstating it. Nothing wrong with him being oncall for a problem like this. it's the situation where he can't afford 5 min of downtime that would move to the HA setup...
I'm with you here. The oncall bit is their recovery operation. Nothing about him being called in at 4AM tells me they need HA.
-
@RojoLoco said in ASA 5516-X Intermittent Downtime:
@Dashrender said in ASA 5516-X Intermittent Downtime:
@coliver said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
@Pete-S said in ASA 5516-X Intermittent Downtime:
Two is one and one is none.
If you are depending on something, there should be two firewalls.
And in that case you just get the faulty one checked out. That's what support and service is for.Now you are paying the price for not having the right setup in the first place.
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
When you get the old one replaced or repaired, have it as a spare on the shelf or better yet set it up in a HA config.
Depends on cost of downtime vs cost of a new ASA.
Unless the ASA is like $50K, it's likely much less in almost all cases - that said, i still RARELY hear about anyone in the SMB space having a spare, let alone a HA config.
Don't forget the additional cost for having an active service agreement (you already overpaid for shitty hardware, now give us more blood money so your shitty firewall keeps working... shittily).
And also, in case I hadn't mentioned it already.... FUCK CISCO.
sure - but still, compared to downtime that actually costs money - you're likely talking about $100's of thousands.
Plus, nothing says you have to do Cisco HA, there are other options.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
You call that sort of performance a midrange device?
No, Cisco calls the ASA 5500-X Series a "next-generation midrange security appliance".
That makes more sense. Just about every networking company calls s*** hardware "state of the art". At least Ubiquiti tells you what the box can actually do.
And the most obvious thing here is - how fast is the WAN link?
Performance doesn't matters if the link isn't faster than what the firewall can handle.I don't care, it's an ASA, therefor by definition was way to expensive, and is way to expensive to keep operational. @RojoLoco's blood money. Better to replace the thing so soon as the current support agreement runs out.
Let me repeat, the hardware is fine. It's the purchase price and ongoing pay to keep it working that is the major issue with all Cisco ASA anything I've worked with.
-
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Better to replace the thing so soon as the current support agreement runs out.
Not sure I agree with even that - replace with UBNT now, toss a spare on the shelf, and have less worries, concerns going forward.. no waiting on the cisco repair crew.
-
I think in a lot of cases people don't have HA where they need it. And then have it where they don't need it.
If you connect branch offices in a hub spoke architecture that suggest immediately that you probably need HA at the hub. Because if the hub fails everything fails.
-
@Dashrender said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Better to replace the thing so soon as the current support agreement runs out.
Not sure I agree with even that - replace with UBNT now, toss a spare on the shelf, and have less worries, concerns going forward.. no waiting on the cisco repair crew.
I think you can afford 10 spares on the shelf not just one.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
I think in a lot of cases people don't have HA where they need it. And then have it where they don't need it.
And not just for networking. It's like this for everything.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
If you connect branch offices in a hub spoke architecture that suggest immediately that you probably need HA at the hub. Because if the hub fails everything fails.
Only if the hub brings down functionality at the sites and the cost of site downtime is large over a very short period of time.
-
@Emad-R said in ASA 5516-X Intermittent Downtime:
@Dashrender said in ASA 5516-X Intermittent Downtime:
@travisdh1 said in ASA 5516-X Intermittent Downtime:
Better to replace the thing so soon as the current support agreement runs out.
Not sure I agree with even that - replace with UBNT now, toss a spare on the shelf, and have less worries, concerns going forward.. no waiting on the cisco repair crew.
I think you can afford 10 spares on the shelf not just one.
That's what we do where needed. A spare is SO cheap, and so much faster than any support contract.
-
@Jimmy9008 said in ASA 5516-X Intermittent Downtime:
I've contacted Cisco already, but that response could be slow, so just asking for troubleshooting tips...
If this is a concern, that alone should rule out keeping it. If you don't trust Cisco 100%, the ASA is worthless as the entire value of an ASA is in the organization's perceived value of Cisco support.
-
@Jimmy9008 said in ASA 5516-X Intermittent Downtime:
Its under support until July 2020. Just trying to make sure I have done all I can before Cisco call back. Would I be right to say the SSD light should be solid green?
That's pretty soon. Is the value of your time and the company's downtime so trivial to make keeping the ASA make sense? Basically you have to work for free and the company has to have zero loss from downtime to make that ASA worth keeping. Even with the sunk cost of support, it has a negative value to the business.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
Now you are paying the price for not having the right setup in the first place.
With the big mistake being that it is a Cisco ASA. The cost of "support" on that ASA, and the cost of the ASA itself, are really high. That same money could have been cut by like 90%, better gear purchased, and backup gear purchased. Then if something went wrong, you could replace in minutes and have no questions like this. Both the quality of the gear and the useless support make the ASA one of the worst choices out there. Every aspect of it is a problem. Even if you "already own it" and are "under support" it's a bad deal. If you handed me a brand new ASA and a new ten year support contract, I'd just dump it straight in the trash. It has literally zero value because it is too costly to operate compared to better gear.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
I would go up the food chain and ask how important this connection is. If it's important, have a new one shipped out immediately.
Agreed. But where a "new one" is something you can really support and get back up and running quickly, not another ASA.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
And if they want HA, which it sounds like they should, Edgerouter is a no-go.
It can do VRRP but it can't sync connections or configuration so it's basically useless for anything mission-critical.They bought Cisco, so HA and mission critical are the polar opposite of their decision making so far. So nothing looks like HA is needed. EdgeRouter isn't HA, that's totally correct, but given that Cisco was chosen, HA can't be even the most remote need or else their previous decision making was absolutely backwards (looking at their decisions and perceiving HA needs would be like looking at a Mazda Miata and assuming that they need big rig hauling.)
EdgeRouters don't do full HA, but can be swapped out in minutes with a spare on the shelf. So unless their needs are wildly different than they are acting like they are, the only question is if one EdgeRouter is enough because waiting on Amazon to ship the second $150 unit is fast enough or if having a spare ready to go makes sense.
-
@Pete-S said in ASA 5516-X Intermittent Downtime:
From this: "Overnight around 3am, all office locations globally lose access to London".
And from this: "I get a call at about 4am"How does that suggest HA? It suggests that they have a VPN that lost connectivity, it tells us nothing of the value of that connection.
That he got a call only an hour later tells us that for an hour, it wasn't deemed important enough to mention.
So while HA isn't ruled out by any of this, it certainly isn't suggested.
